Fortinet FortiSIEM v7

the fortinet fortisiem v7 connector enables seamless integration with swimlane turbine, providing automated actions for siem watchlist and event management fortinet fortisiem v7 is a comprehensive siem solution that provides advanced security analytics, compliance reporting, and threat detection this connector enables swimlane turbine users to integrate with fortisiem's robust monitoring and alerting capabilities, streamlining the management of watchlists, event queries, and organizational context retrieval by leveraging this integration, security teams can automate the enrichment of security events, enhance incident response, and maintain a proactive security posture within their extended detection and response ecosystem prerequisites before integrating fortinet fortisiem v7 with swimlane turbine, ensure you have the following prerequisites http basic authentication with the following parameters url the endpoint url for the fortisiem v7 api username the username credential for api access password the password credential for api access capabilities this connector provides the following capabilities add watch list add watch list entry delete watch list by id delete watch list entry by id fetch incidents by filters get agent status by host get all watch lists get device information get devices get event query progress by id get incident by incident id get incidents by query id get list of monitored organizations get watch list by watch list entry id get watch list by watch list id and so on api documentation link fortisiem api documentation link https //fndn fortinet net/index php?/fortiapi/2627 fortisiem/3790/ configurations fortinet fortisiem v7 http basic authentication authenticates using username and password configuration parameters parameter description type required url a url to the target host string required username the username is in the format of \<organizationname/username> string required password password string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add watch list creates a new watchlist with specified entries in fortisiem for enhanced monitoring endpoint url /phoenix/rest/watchlist/save method post input argument name type required description input argument name type required description displayname string optional watchlist display name valuetype string optional the value type of the watchlist, options are string ip number type number optional this value must always be set to 32 datacreationtype string optional must be set to user at all times description string optional description of this watchlist entries array optional parameter for add watch list entryvalue string optional value of a single watchlist entry object description string optional description of this individual entry ageout string optional definition of how long the entry is valid for before system automatically removes the entry output parameter type description output parameter type description reason string response reason phrase status code number http status code of the response response array output field response id number unique identifier naturalid string unique identifier displayname string name of the resource description string output field description valuepattern string value for the parameter ageout string output field ageout topgroup boolean output field topgroup entries array output field entries id number unique identifier firstseen number output field firstseen lastseen number output field lastseen expiredtime number time value state string output field state naturalid string unique identifier triggeringrules string output field triggeringrules entryvalue string value for the parameter description string output field description ageout string output field ageout count number count value datacreationtype number response data example \[ { "json body" { "response" \[] }, "reason" "ok", "response headers" {}, "status code" 200 } ] add watch list entry adds entries to a specified watchlist in fortisiem, enhancing monitoring and alerting capabilities endpoint url /phoenix/rest/watchlist/addto method post input argument name type required description input argument name type required description watchlistid number required this is the id field of a watchlist, that contains the watchlist where the posted entries should be added to entryvalue string required this is the value of the individual entry firstseen number optional first seen time in epoch milliseconds lastseen number optional last seen time in epoch milliseconds expiredtime number optional time at which the watchlist entry expires and is removed in epoch milliseconds state string optional entry state, options are enabled disabled description string optional provide a description of the individual entry, which is optional ageout string optional lists the expiry time of the entry in human readable format count number optional this is a count of how many incidents have triggered, that have a watchlist rule that would have populated with this entry output parameter type description output parameter type description reason string response reason phrase status code number http status code of the response response string output field response status string status value example \[ { "json body" { "response" "successfully added to watch list \[ids]", "status" "success" }, "reason" "ok", "response headers" {}, "status code" 200 } ] delete watch list by id removes specified watchlists from fortisiem using their unique entry ids endpoint url /phoenix/rest/watchlist/delete method delete input argument name type required description input argument name type required description output parameter type description output parameter type description reason string response reason phrase status code number http status code of the response response string output field response status string status value example \[ { "json body" { "response" "deleted watch lists \[ids]", "status" "success" }, "reason" "ok", "response headers" {}, "status code" 200 } ] delete watch list entry by id removes specified entries from a watchlist in fortisiem by using their unique ids endpoint url /phoenix/rest/watchlist/entry/delete method delete input argument name type required description input argument name type required description output parameter type description output parameter type description reason string response reason phrase status code number http status code of the response response string output field response status string status value example \[ { "json body" { "response" "deleted entries \[ids]", "status" "success" }, "reason" "ok", "response headers" {}, "status code" 200 } ] fetch incidents by filters retrieve incidents by time or incidentid with specific filter options and fields endpoint url /phoenix/rest/pub/incident method post input argument name type required description input argument name type required description filters object optional parameter for fetch incidents by filters incidentid array optional this is an array of integers representing specific incident id's to filter by incidentstatus array optional incident statuses 0 active incidents, 1 auto cleared incidents, 2 manually cleared incidents, 3 system cleared incidents eventseverity array optional possible values are from 1 10 to specify 1 4, provide an array such as \[1,2,3,4] eventseveritycat array optional possible values are low, medium, high to specify more than one, provide an array such as \["low","high"] phincidentcategory array optional possible values are from 1 5 1 = availability incidents, 2 = performance incidents, 3 = change incidents, 4 = security incidents, 5 = other incidents to specify more than one, supply an array such as \[3,4,5] (security, change, and other) phcustid array optional this filter accepts an array of organization id's customer array optional parameter for fetch incidents by filters incidentreso array optional this field allows you to filter by incident resolution status possible values are from 0 4 0 = none, 1 = open, 2 = truepositive, 3 = falsepositive, 4 = inprogress to specify more than one value, most fields accept an array such as \[0,1,2,3] timeto number optional the incident to time range in epoch milliseconds required if incidentid filter list is not specified timefrom number optional the incident from time range in epoch milliseconds required if incidentid filter list is not specified start number optional optional offset to start with, not needed if you are iterating using queryid and page numbers size number optional number of items to return per page of incidents orderby string optional set descending or ascending order of searched incidents using any datetime attribute such as incidentlastseen descending string optional specify if sort order is ascending or descending only needed if orderby set fields array optional array of all the incident fields you would liked to return output parameter type description parameter type description reason string response reason phrase status code number http status code of the response total number output field total pages number output field pages data array response data incidentid number unique identifier incidenttitle string unique identifier eventseverity number output field eventseverity incidentfirstseen number unique identifier incidentlastseen number unique identifier incidentreso number unique identifier incidentrptip string unique identifier incidentrptdevname string unique identifier incidentsrc string unique identifier incidenttarget string unique identifier count number count value attacktechnique string output field attacktechnique attacktactic string output field attacktactic phsubincidentcategory string unique identifier eventtype string type of the resource eventname string name of the resource phincidentcategory number unique identifier incidentclearedtime number unique identifier eventseveritycat string output field eventseveritycat example \[ { "json body" { "total" 4, "pages" 2, "data" \[], "start" 0, "sizeperpage" 2, "queryid" "pub inc query 81 1684452618294" }, "reason" "ok", "response headers" {}, "status code" 200 } ] get agent status by host incident status of linux/windows agents endpoint url /phoenix/rest/agentstatus/all method get input argument name type required description input argument name type required description request string optional request query with the format request=orgid,hostname output parameter type description output parameter type description reason string response reason phrase status code number http status code of the response example \[ { "json body" {}, "reason" "ok", "response headers" {}, "status code" 200 } ] get all watch lists retrieves all watchlists and their entries from fortisiem for monitoring and analysis endpoint url /phoenix/rest/watchlist/all method get output parameter type description output parameter type description reason string response reason phrase status code number http status code of the response response array output field response id number unique identifier naturalid string unique identifier displayname string name of the resource description string output field description valuepattern string value for the parameter ageout string output field ageout topgroup boolean output field topgroup entries array output field entries id number unique identifier firstseen number output field firstseen lastseen number output field lastseen expiredtime number time value state string output field state naturalid string unique identifier triggeringrules string output field triggeringrules entryvalue string value for the parameter description string output field description ageout string output field ageout count number count value datacreationtype number response data example \[ { "json body" { "response" \[] }, "reason" "ok", "response headers" {}, "status code" 200 } ] get device information fetches the cmdb device info endpoint url /phoenix/rest/cmdbdeviceinfo/devices method get input argument name type required description input argument name type required description organization string optional all devices in a particular org are fetched includeips string optional all devices in a this address range are fetched excludeips string optional all devices in a this address range are ignored ip string optional full info about this particular device is fetched loaddepend string optional can be set to true/false full info about this particular device is fetched fields string optional a section of information (applications, interfaces, processors, storages) about one device is fetched output parameter type description output parameter type description reason string response reason phrase status code number http status code of the response example \[ { "json body" {}, "reason" "ok", "response headers" {}, "status code" 200 } ] get devices retrieve list of devices with specific organization id and device ip/host name endpoint url /phoenix/rest/device/list method get input argument name type required description input argument name type required description orgid string required the organization id of the device accessip string optional the ip address of the device name string optional the name of the device output parameter type description output parameter type description reason string response reason phrase status code number http status code of the response id number unique identifier orgid number unique identifier orgname string name of the resource hostname string name of the resource accessip string output field accessip devicetype string type of the resource example \[ { "json body" { "id" 111111, "orgid" 1, "orgname" "super", "hostname" "fsm test 123456 0000", "accessip" "172 16 1 1", "devicetype" "redhat linux" }, "reason" "ok", "response headers" {}, "status code" 200 } ] get event query progress by id queries the progress of a previously submitted event query in fortisiem endpoint url /phoenix/rest/query/progress/{{queryid}} method get input argument name type required description input argument name type required description queryid string required this is the requestid values retrieved from eventquery response headers object required http headers for the request accept string required parameter for get event query progress by id output parameter type description output parameter type description reason string response reason phrase status code number http status code of the response example \[ { "json body" {}, "reason" "ok", "response headers" {}, "status code" 200 } ] get incident by incident id retrieve incidents by time or incidentid endpoint url /phoenix/rest/pub/incident method get input argument name type required description input argument name type required description status array optional optional list of incident status integer types to filter by active = 0, automatically cleared = 1, manually cleared = 2, system cleared = 3 to specify all, use status=\[0,1,2,3] incidentid array optional array of incidents to query if this value is used, timeto and timefrom parameters are not needed timefrom number optional the incident from time range in epoch milliseconds, this is not required if querying by incident id timeto number optional the incident to time range in epoch milliseconds, this is not required if querying by incident id size number optional this is an optional size parameter, the number of incidents to return per page of query results default is 500 output parameter type description parameter type description reason string response reason phrase status code number http status code of the response total number output field total pages number output field pages data array response data incidentid number unique identifier incidenttitle string unique identifier eventseverity number output field eventseverity incidentfirstseen number unique identifier incidentlastseen number unique identifier incidentreso number unique identifier incidentrptip string unique identifier incidentrptdevname string unique identifier incidentsrc string unique identifier incidenttarget string unique identifier count number count value attacktechnique string output field attacktechnique attacktactic string output field attacktactic phsubincidentcategory string unique identifier eventtype string type of the resource eventname string name of the resource phincidentcategory number unique identifier incidentclearedtime number unique identifier eventseveritycat string output field eventseveritycat example \[ { "json body" { "total" 4, "pages" 2, "data" \[], "start" 0, "sizeperpage" 2, "queryid" "pub inc query 81 1684452618294" }, "reason" "ok", "response headers" {}, "status code" 200 } ] get incidents by query id retrieve incidents using specific query id and page number endpoint url /phoenix/rest/pub/incident/{{queryid}}/{{pagenumber}} method get input argument name type required description input argument name type required description queryid string required this is the queryid returned in the response body from the action get incident by incident id pagenumber number required this param is the current page number to retrieve output parameter type description parameter type description reason string response reason phrase status code number http status code of the response total number output field total pages number output field pages data array response data incidentid number unique identifier incidenttitle string unique identifier eventseverity number output field eventseverity incidentfirstseen number unique identifier incidentlastseen number unique identifier incidentreso number unique identifier incidentrptip string unique identifier incidentrptdevname string unique identifier incidentsrc string unique identifier incidenttarget string unique identifier count number count value attacktechnique string output field attacktechnique attacktactic string output field attacktactic phsubincidentcategory string unique identifier eventtype string type of the resource eventname string name of the resource phincidentcategory number unique identifier incidentclearedtime number unique identifier eventseveritycat string output field eventseveritycat example \[ { "json body" { "total" 4, "pages" 2, "data" \[], "start" 0, "sizeperpage" 2, "queryid" "pub inc query 81 1684452618294" }, "reason" "ok", "response headers" {}, "status code" 200 } ] get list of monitored organizations retrieve a list of organizations currently monitored by fortisiem endpoint url /phoenix/rest/config/domain method get input argument name type required description input argument name type required description headers object required http headers for the request accept string required parameter for get list of monitored organizations output parameter type description output parameter type description reason string response reason phrase status code number http status code of the response example \[ { "json body" {}, "reason" "ok", "response headers" {}, "status code" 200 } ] get watch list by watch list entry id retrieve a specific watchlist in fortisiem by providing the unique entryid endpoint url /phoenix/rest/watchlist/byentry/{{watchlistentryid}} method get input argument name type required description input argument name type required description watchlistentryid string required this is the id field of an individual entry within a watchlist to search with output parameter type description output parameter type description reason string response reason phrase status code number http status code of the response response object output field response id number unique identifier naturalid string unique identifier displayname string name of the resource description string output field description valuepattern string value for the parameter ageout string output field ageout topgroup boolean output field topgroup entries array output field entries id number unique identifier firstseen number output field firstseen lastseen number output field lastseen expiredtime number time value state string output field state naturalid string unique identifier triggeringrules string output field triggeringrules entryvalue string value for the parameter description string output field description ageout string output field ageout count number count value datacreationtype number response data status string status value example \[ { "json body" { "response" {}, "status" "success" }, "reason" "ok", "response headers" {}, "status code" 200 } ] get watch list by watch list id retrieve details of a specific watchlist in fortisiem by providing the watchlist id endpoint url /phoenix/rest/watchlist/{{watchlistid}} method get input argument name type required description input argument name type required description watchlistid string required this is the incidentid to update output parameter type description output parameter type description reason string response reason phrase status code number http status code of the response response array output field response id number unique identifier naturalid string unique identifier displayname string name of the resource description string output field description valuepattern string value for the parameter ageout string output field ageout topgroup boolean output field topgroup entries array output field entries id number unique identifier firstseen number output field firstseen lastseen number output field lastseen expiredtime number time value state string output field state naturalid string unique identifier triggeringrules string output field triggeringrules entryvalue string value for the parameter description string output field description ageout string output field ageout count number count value datacreationtype number response data example \[ { "json body" { "response" \[] }, "reason" "ok", "response headers" {}, "status code" 200 } ] get watch list entry by watch list entry id retrieves a specific watchlist entry from fortisiem using the provided entry id endpoint url /phoenix/rest/watchlist/entry/{{watchlistentryid}} method get input argument name type required description input argument name type required description watchlistentryid string required this is the id field of an individual entry within a watchlist to search with output parameter type description output parameter type description reason string response reason phrase status code number http status code of the response response object output field response id number unique identifier firstseen number output field firstseen lastseen number output field lastseen expiredtime number time value state string output field state naturalid string unique identifier triggeringrules string output field triggeringrules entryvalue string value for the parameter description string output field description ageout string output field ageout count number count value datacreationtype number response data status string status value example \[ { "json body" { "response" {}, "status" "success" }, "reason" "ok", "response headers" {}, "status code" 200 } ] retrieve context by hostname retrieves the context information associated with a specified hostname in fortisiem endpoint url /phoenix/rest/context/hostname method get input argument name type required description input argument name type required description value string required the hostname to retrieve context output parameter type description output parameter type description reason string response reason phrase status code number http status code of the response contexts array output field contexts value string value for the parameter hostname string name of the resource devicetype string type of the resource importance string output field importance externallookups object output field externallookups domain string output field domain fortiguardiocresult object result of the operation wf cate string output field wf cate ioc tags string output field ioc tags verdict string output field verdict confidence string unique identifier av cate string output field av cate ioc cate string output field ioc cate spam cate string output field spam cate example \[ { "json body" { "contexts" \[] }, "reason" "ok", "response headers" {}, "status code" 200 } ] retrieve context by ip retrieves the context information associated with a specified ip address from fortisiem endpoint url /phoenix/rest/context/ip method get input argument name type required description input argument name type required description value string required the ip address to retrieve context output parameter type description parameter type description reason string response reason phrase status code number http status code of the response contexts array output field contexts value string value for the parameter hostname string name of the resource devicetype string type of the resource importance string output field importance location object output field location countrycode string output field countrycode countryname string name of the resource region string output field region city string output field city latitude number output field latitude longitude number output field longitude devicecustomproperties array output field devicecustomproperties propertyname string name of the resource propertyvalue string value for the parameter identities array unique identifier ipaddr string output field ipaddr firstseentime string time value lastseentime string time value performanceinfo object output field performanceinfo cpuutil number output field cpuutil memutil number output field memutil example \[ { "json body" { "contexts" \[] }, "reason" "ok", "response headers" {}, "status code" 200 } ] retrieve context by user retrieves the contextual data for a specified user within fortisiem, aiding in user centric analysis endpoint url /phoenix/rest/context/user method get input argument name type required description input argument name type required description value string required the name of the user to retrieve context output parameter type description output parameter type description reason string response reason phrase status code number http status code of the response contexts array output field contexts value string value for the parameter location object output field location latitude number output field latitude longitude number output field longitude userinfo object output field userinfo groups array output field groups topeventtypes array type of the resource eventtype string type of the resource eventname string name of the resource count number count value example \[ { "json body" { "contexts" \[] }, "reason" "ok", "response headers" {}, "status code" 200 } ] update incident update a single fortisiem incident endpoint url /phoenix/rest/pub/incident/update/{{incidentid}} method post input argument name type required description argument name type required description incidentid string required this is the incidentid to update incidentid number optional this is the unique incident id for this individual trigger of this incident incidenttitle string optional dynamic title of incident eventseverity number optional integer severity 1 10 (1 4 low, 5 8 medium, 9 10 high) incidentfirstseen number optional incident first seen time in epoch milliseconds incidentlastseen number optional incident last seen time in epoch milliseconds incidentreso number optional incident resolution integer value none = 0 open = 1 truepositive = 2 falsepositive = 3 inprogress = 4 incidentrptip string optional incident reporting ip log source of incident incidentrptdevname string optional this is the incident reporting device name the hostname of the log source of the incident incidentsrc string optional attributes identifying the source of the incident, defined as a comma separated list of pairs this is optional and depends on the incident incidenttarget string optional attributes identifying the target of the incident, defined as a comma separated list of pairs this is optional and depends on the incident count number optional incident count while the incident is active, this is the number of times the active incident has triggered for a distinct event window attacktechnique string optional the associated mitre attach technique id and technique name attacktactic string optional this is the mitre tactic associated with the incident phsubincidentcategory string optional incident subcategory, often synonymous with mitre tactic but can be other categories as well eventtype string optional this is a incident event type, a special unique identifier of the incident/rule, not to be confused with a raw event event type eventname string optional this is the incident name (display name), equivalent to the underlying rule name phincidentcategory number optional this is the integer incident category availability = 1, performance = 2, change = 3, security = 4 and other = 5 incidentclearedtime number optional incident cleared time in epoch milliseconds, if 0, it has never been cleared eventseveritycat string optional string representation of incident low,medium,high incidentdetail string optional incident detail metadata associated with the incident, defined as a comma separated list of pairs this is optional and depends on the incident incidentstatus number optional integer incident status integer types to filter by active = 0, automatically cleared = 1, manually cleared = 2 and system cleared = 3 customer string optional this is the fortisiem organization name for which the incident triggered phcustid number optional this is the fortisiem organization id output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text example \[ { "status code" 200, "response headers" {}, "reason" "ok", "response text" "success" } ] update watch list entry updates a specified watchlist entry in fortisiem by providing the unique entry id endpoint url /phoenix/rest/watchlist/entry/save method put input argument name type required description input argument name type required description id number required the integer identifier a watchlist single entry, this is used to search for the watchlist entry and update it entryvalue string required this is the new value of the watchlist entry to update output parameter type description output parameter type description reason string response reason phrase status code number http status code of the response response object output field response id number unique identifier firstseen number output field firstseen lastseen number output field lastseen expiredtime number time value state string output field state naturalid string unique identifier triggeringrules string output field triggeringrules entryvalue string value for the parameter description string output field description ageout string output field ageout count number count value datacreationtype number response data status string status value example \[ { "json body" { "response" {}, "status" "success" }, "reason" "ok", "response headers" {}, "status code" 200 } ] notes this connector was developed against product version 7 1 3